I ripped one out in the elevator with the CEO. He said ‘you disgust me’ and the secretary ran out in floods of tears. About three months later I tendered my resignation because a promising opportunity for advancement presented itself.
Where my infosec homies at??
They were issuing a single SSL cert to all of their clients. This cert was encrypting CC data.
That SSL cert lived on an FTP server.
The password was something like Spring2019!
We stored clients images on an SFTP server. I was a web dev. I didn’t have access to the SFTP server. I had to tell a team what dirs to put assets in so my clients websites could display images.
… Tell me youve seen worse, and I’ll continue to up the ante.
I’m not sure I’ve seen worse, but I still want to see what’s worse than what you’ve posted
Current company I’m at I was reporting a slow Virtual server. It looked like one of the monitoring scripts was stuck in the loop and slowing the machine to a crawl.
Call up cyber, they proceed to tell me it’s drive issue. The google DRIVERS Download the first thing they see an ad for some virus.
The machine ended up needing to be completely reimaged.
Some days mann
They were issuing a single SSL cert to all of their clients.
How does this even work? Doesn’t the domain admin send their own CSR? Even if your company was serving as that admin, a single cert only works for the domain to which it’s assigned, so how could it be reused for multiple clients?
I think it was a self signed SSL.
Not all SSLs are domain specific. There’s wildcard domains (used for subdomains or related domains), and self signed domains, and probably more.
Think like… A liquor store in the middle of nowhere that transmits CC data via internet. They have a SSL. They don’t necessarily even have a registered domain.
Self-signed certs are not viable for general use because they’ll generate a browser warning that “Joes Liquor Co is not a trusted Certificate Authority” that will scare off 99% of users. And wildcard certs still need at least one specific domain, e.g. *.joesliquor.com
. The only way I can imagine this working is if the vendor was handing out separate servers on client.vendor.com
and giving each of them the same SSL cert for *.vendor.com
.
To explain my “fuck this shit” moment first we need to understand the company.
They were a smart pouring alcohol, beer wine alcohol kumbucha, whatever. They could pour it. They sold their product as PaaS, Pour as a Service. The idea was that you a bar owner could have them come in, install their taps (which they maintained) and you would have fancy data and controls over these taps.
You want 1 push to mean 12 Ozes of beer and for the taps to lockdown at 12am automatically? Bam, they’d do it. In theory at any rate. Truthfully, they never could get the pours perfect. It was actually pretty hilarious in hindsight because they wanted to advertise that they were solving shrinkage and waste lol.
Let’s move along though, when I got hired, the tech stuff was handled by me, a full stack developer, two electrical engineers, an embedded developer and a shit tier consultant that wanted to use Ansible for EVERYTHING including Infrastructure as Code (we’ll touch on that).
The tech stuff was either non distributed architecture, basically a piece of shit application made in nodejs running on I shit you not, beaglebone blacks. For reference page one of the user manual says “don’t use this in production” for good reason, one of the issues was the lack of a real time clock another was this hardware level race condition where the beaglebone just wouldn’t boot fully so it needed a reboot. Lol. Oh, also it was running debian wheezy in 2019 (unsure on exact timing) which had been EOLed back in 2018. I always found it using when they talked about security as if they gave a shit.
The other one was the distributed architecture, this was running on a board that was developed in house by one of the EEs. It had feature parity and was supposed to replace nonda. This one ran a bit differently using async messaging and some really fancy bells and whistles. It was also running debian Jessie, which wasn’t fantastic but better than nonda.
2 months after my hiring, the full stack developer left. The guy had a tendency to boil the ocean but he also knew damn near everything about both architectures. So losing him was fun and I had to take on everything he did, minus code, quickly. Our consultant meanwhile, took on very little.
As startups do, problems would happen and be bandaided, I would complain about tech debt get ignored and dumpster fires would happen as one would expect. After a while, we started losing more people, first the EE I wasn’t close to. Then the embedded guy and finally the EE I was close to.
At this point, I was stressed beyond belief and fucking sick of it. Both the culture and the bullshit where if I fucked up, I got punished but if the consultant fucked up or ignored policy nothing would happen.
I’m not sure on the timeline here but two things happened.
- there was an outage after hours. I wasn’t aware of it and was eating dinner with my family which is very important to me because family. After dad’s battle with cancer, I wanted to make sure important things like family dinner were a family time thing. No phones, no TV. Maybe music but mostly talking and spending time together.
Back to the story, I got called. Family excused me so I answered and was informed about the outage. They asked me to pitch in because it looked like something I was knowledgeable about, I said sure I don’t mind but I need to finish dinner with my family first, because we were already in the middle of it. Sounds reasonable right? Not to my boss. He demanded I stop, I held firm. He got pissy but relented and let me finish.
Bet you’re expecting some heroic effort and a saved the day right? Nah. I had nothing to do because it had nothing to do with me. No apology was given nor was a thank you extended. I literally sat there, scrolling reddit “being available”
- after my team left, I got asked to step up and at that point I was getting interested in the SRE space. I had been interviewing and wanted the title. So I asked for it, and was told “I’ll think about it” after they said there would be no raise. Weeks passed, nothing happened. Not even a “hey we need to say no”. So I got an offer from my current employer, had the title I wanted and everything. I accepted and gave previous employer less than 2 weeks. First thing the boss asked was if it was because of the no promotion.
Fast forward 2 years to April of this year. The board of investors fired the owner and coo and the company declared bankruptcy. Good fucking riddance. Bunch of stupid fucking schmucks.
You want 1 push to mean 12 Ozes of beer and for the taps to lockdown at 12am automatically? Bam, they’d do it. In theory at any rate. Truthfully, they never could get the pours perfect. It was actually pretty hilarious in hindsight because they wanted to advertise that they were solving shrinkage and waste lol.
Um. That should be incredibly easy. Pharmaceutical companies have solved this decades ago. That’s how ever single vial of whatever sterile contents is always exactly perfectly filled. Were they trying to reinvent the wheel or something? Why not just use a normal metering pump?
Uncarbonated liquids are dead simple to titrate, it’s true. For a carbonated product like beer, it’s actually a much more complicated problem than it seems. The amount of foam you get on a keg pour of beer is effected by a lot of variables - how clean the lines are, how cold the lines are, how long the lines are, the diameter of the lines, whether you’re using beergas or co2, how old the beer is, if it’s keg conditioned or force carbonated, how recently the keg was moved into refrigeration, how cold the beer itself is, if it’s the first pour of the day or if the tap has been running frequently, the mechanical design of the faucet, the temperature, cleanliness, shape, and size of the glass it’s going into, and more. It’s really fiddly business, I can’t see how a push button system could take everything into account and render less wastage than a human operator with a feel for the system. Draft systems are voodoo, ask me how I know.
Anyway companies typically have an unrealistic expectation of what draft wastage ought to be. I would advise any bar to expect something like 15% wastage at minimum on professional draft equipment, more if they’re using bargain grade hardware anywhere in the system, but ownership doesn’t want to hear that.
I was working at a hospital that had to do ethics training twice per year because of previous violations. I was sitting on the floor in a super crowded room and the video opened with, “Do your ethics match those of your employer?” and i went, “Oh shit! They do not! I have to get out of here!”
I am confused? The “previous violations” were your doing or the employers?
The hospital had violations and for the next 5 (i think) years, all staff had to do ethics training twice per year. Money and productivity were much more important to them than patient care. Shortly before i left they quit buying wet wipes. Staff was expected to clean patients (bathing, vomit, BM, blood) with washcloths that were put into laundry bins for wash and reuse.